Gearing up for GDPR

Recap of Deloitte’s GDPR Expert Talks event, May 11th 2017

With the introduction of the EU’s General Data Protection Regulation (GDPR) just one year away, Deloitte’s GDPR Expert Talks event was aimed at offering privacy experts the content and contacts they need to prepare their organisations. Along with industry-specific breakout sessions, attendants were treated to the insights of three keynote speakers from politics (Kees Verhoeven), business (Cassandra Moons) and academia (Bibi van den Berg) on privacy under GDPR.

GDPR from a government, business and scientific perspective

Download the visual by clicking on it

GDPR from a political perspective - “The Hague needs to wake up”

Kees Verhoeven, Member of Dutch Parliament for D66, observed that privacy is not really on the radar of most politicians in The Hague, but is rapidly gaining urgency.

He argued that, with the borders between our on- and offline lives fast fading, our security, democracy and privacy are at risk. We cannot leave it to businesses alone to deal with these risks, as they have plenty of incentive to collect our data – after all the most valuable commodity of the 21st century - but no incentive to protect consumers. It is the government’s responsibility to guarantee the freedom of consumers, by ensuring that they have insight into their data, plus control over who has access to it and what it is used for. GDPR is a “very good step forward” in this regard, though success will depend on implementing the rules in a way that is practical for smaller companies as well as larger ones.

Verhoeven is convinced that, contrary to what is often heard, privacy protection is not going to stifle innovation and economic growth but can actually give rise to new business models. A good example is DIME, a Dutch start-up that enables consumers to earn money with their own data. In the future, he said, the Googles of this world may have to share some of those billions in profits earned with consumer data. If Dutch politics wake up to the privacy issue in time – and Verhoeven will do all he can to make this happen - our country can remain a front runner in Europe’s digital economy.

GDPR from a business perspective - “Everything for a smile”

Cassandra Moons, legal counsel at one of Netherlands’ most successful online retailers Coolblue, explained how consumer data is vital to her company in dealing with its booming sales figures. Data is what helps Coolblue predict peaks in daily orders, manage its supply chain and ensure the smoothest possible customer journey. “Everything for a smile” is their moto and of course the goal is to turn website visitors into buyers (i.e. raise the conversion rate), culminating in “the holy grail”, a healthy Net Promoter Score.

To get the information it needs, Coolblue analyses every scrap of data on consumers that comes its way. This data, “marketing candy” Moons called it, brings the company closer and closer to its customer. Smart advertising through Google and Social Media puts ads where they are likely to be most effective. Further down the road, personalization is key. Ecommerce companies like Coolblue ultimately want to show each customer only what he or she is interested in. This could be done by creating a Customer Dashboard, where customers themselves are in charge, and can customise what they see on their visits to the website. This, Moons said, is where we hit the GDPR button. If companies are transparent about their data use, we create a win win situation.

Inherently, however, Coolblue lives in fear of the introduction of GDPR, which Moons called a “conversion killer”. A big challenge is the company’s legacy system, which ties everything, including after-sales service, to order data. If this must be deleted, the system cannot function. Another threat are contractual claims as a result of liability expansion from non-EU business partners. Start-ups processing customer data, meanwhile, lack the knowledge and resources to comply with GDPR. And there is also insufficient clarity about the role of the data controller in relation to consumers and other controllers. Finally, the one-size-fits-all approach of GDPR supervision takes insufficient account of sector and market factors. The difference in the kind of data collected and its use is enormous between, say, a retailer and a hospital.

GDPR from a scientific perspective - “the way we design architecture shapes our freedom and rights”

Bibi van den Berg, Associate Professor at Leiden University, called herself an optimist who loves technology. But now that we are on the threshold of the Internet of Things, which is going to produce an explosion of data to be crunched with big data analytics, GDPR may prove inadequate. It focuses on personal data, while ordinary data, in huge quantities, is potentially far more revealing. By the time we get round to drafting legislation, it will be too late. She feels it’s time we started thinking “inside the box”.

Regulation, seen more broadly, includes not just legislation, but also social norms, market forces and, most interestingly, architecture. The way we design our online world can hem us in and guide us in the right direction, shaping our freedoms and rights. Instead of regulating post-fact with laws, we need to focus more on the front end, on what designers are doing. Right now, the business community is presenting the arrival of the Internet of Things as inevitable. But is it? Gadgets from smart metering to smart clothing are marketed as “convenient” for consumers, but the benefits for them are minimal compared to the benefits for companies in terms of valuable data. These products are rushed to market and pose security and privacy risks for consumers, while laws to protect them and punish companies are a long way off. The quickest solution, Van den Berg believes, is to introduce an “air gap” between smart products and the internet. In a LAN environment, the consumer still enjoys most of the benefits, without the attending risks.

Deloitte and GDPR

Listening to Annika Sponselee, head of the Deloitte Privacy team, is a cure for any feelings of doom and gloom about GDPR. She emphasizes that GDPR is about more than just compliance. Regulation that forces companies to organise their data collection can be a blessing in disguise, as a lot of value can be reaped from such well-organised data. And Deloitte is here to support companies, not only with GDPR compliance, but also with making the most of this treasure trove of legally obtained data.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see About Deloitte to learn more about our global network of member firms.